Chapter 22 Exercises: Trade Surveillance — Spoofing, Layering, and Front-Running Detection
Five exercises covering classification, quantitative analysis, rule design, coding extension, and regulatory research. Estimated time: 3–5 hours total.
Exercise 1: Classify the Manipulation (Typology Identification)
Estimated time: 30–45 minutes Format: Written short-answer (3–5 sentences per scenario)
Read each scenario below. For each: 1. Identify the most likely manipulation typology (spoofing, layering, front-running, marking the close, quote stuffing, pump and dump, cross-asset manipulation, or legitimate trading). 2. Identify the key behavioral features that led to your classification. 3. Note any alternative interpretations that a defense lawyer might raise and explain why the primary classification is still most appropriate.
Scenario A
A trader at a UK equity desk manages a long position of 2 million shares in a mid-cap FTSE 250 stock. The stock's options are due to expire on Friday, and the trader holds a substantial number of call options with a strike price of 420p. On Thursday afternoon, the stock is trading at 415p. Between 3:15pm and 4:30pm London time, the trader buys a total of 800,000 shares in a series of purchases, pushing the price to 422p by the close. On Monday, the trader sells all shares purchased on Thursday, at 418p.
Hint: Consider why Friday's close at 422p matters, what instrument class benefits, and whether the trading pattern has an alternative legitimate explanation.
Scenario B
A hedge fund's algorithmic trading system submits a series of limit sell orders in EUR/USD futures contracts at the following price levels within a 90-second window:
- 1.0855: 300 lots
- 1.0856: 500 lots
- 1.0857: 800 lots
- 1.0858: 1,000 lots
No corresponding buy interest is visible in the fund's position data. Over the next 60 seconds, the price falls from 1.0854 to 1.0848. The algorithm then submits a buy order for 400 lots at 1.0848, which is filled. Over the following 90 seconds, all four sell orders are cancelled. This pattern repeats with minor variations across 12 trading sessions.
Hint: Note the specific structural feature — multiple price levels, same side — and the three-phase sequence.
Scenario C
A broker on a fixed income desk receives a large client order to purchase £50 million of 10-year gilts at market. Before routing the order to the market, the broker purchases £2 million of the same gilt in the firm's proprietary account. The broker then routes the client order, which moves the gilt price upward by approximately 3 basis points. The broker sells the firm's £2 million position 45 seconds later at a 3-basis-point profit.
Hint: Consider the relationship between the broker's information about the client order, the timing of the proprietary trade, and the post-execution reversal.
Scenario D
A retail trader posts a series of enthusiastic messages on a Reddit investing community, describing a small biotech penny stock as a "hidden gem" with "undisclosed pipeline data." The trader has purchased 500,000 shares at $0.12 per share before posting. Following the posts, which are amplified by several other accounts the trader controls through friends, the stock's trading volume rises 1,400% and the price reaches $0.47. The trader sells all shares over the following two trading days. The stock then falls back to $0.15.
Hint: Note the information dissemination mechanism, the price/volume impact, and the sell-into-the-rise pattern. Consider the modern regulatory provisions that address this channel.
Scenario E
A market-making desk in investment grade corporate bonds routinely submits hundreds of bid and ask quotes across dozens of bond issues throughout the trading day. On a typical day, the desk submits approximately 4,000 orders and executes 200, an order-to-trade ratio of 20:1. The desk reprices its quotes frequently in response to changes in the underlying government bond yields and credit spread movements. No specific pattern of manipulation is alleged; the surveillance system flags the high OTR.
Hint: Consider the desk's business function, what legitimate activity looks like, and whether the OTR alone is a sufficient basis for a finding of manipulation.
Exercise 2: Cancel Ratio and Price Impact Analysis
Estimated time: 45–60 minutes Format: Quantitative analysis with written interpretation
The table below shows order book event data for Trader ID T-1447 in the Bund futures contract over a single 4-hour period. All orders are on the ask (sell) side.
| Order ID | Placed Time | Cancelled Time | Executed Time | Price (EUR) | Qty (lots) | Outcome |
|---|---|---|---|---|---|---|
| ORD-001 | 09:00:12.441 | 09:00:15.223 | — | 133.520 | 200 | Cancelled |
| ORD-002 | 09:00:12.556 | 09:00:15.388 | — | 133.530 | 350 | Cancelled |
| ORD-003 | 09:00:12.801 | 09:00:15.421 | — | 133.540 | 500 | Cancelled |
| ORD-004 | 09:00:12.999 | 09:00:15.488 | — | 133.550 | 800 | Cancelled |
| ORD-005 | 09:00:16.100 | — | 09:00:16.544 | 133.498 | 150 | Executed (BUY) |
| ORD-006 | 09:15:33.221 | 09:15:36.019 | — | 133.490 | 200 | Cancelled |
| ORD-007 | 09:15:33.390 | 09:15:36.140 | — | 133.500 | 400 | Cancelled |
| ORD-008 | 09:15:33.601 | 09:15:36.289 | — | 133.510 | 600 | Cancelled |
| ORD-009 | 09:15:35.001 | — | 09:15:37.002 | 133.478 | 100 | Executed (BUY) |
| ORD-010 | 09:31:04.770 | 09:31:07.512 | — | 133.450 | 250 | Cancelled |
| ORD-011 | 09:31:04.991 | 09:31:07.633 | — | 133.460 | 400 | Cancelled |
| ORD-012 | 09:31:05.221 | 09:31:07.801 | — | 133.470 | 600 | Cancelled |
| ORD-013 | 09:31:05.499 | 09:31:07.944 | — | 133.480 | 900 | Cancelled |
| ORD-014 | 09:31:08.102 | — | 09:31:08.441 | 133.430 | 200 | Executed (BUY) |
| ORD-015 | 10:15:11.222 | — | 10:15:11.890 | 133.412 | 180 | Executed (SELL) |
| ORD-016 | 10:30:44.001 | — | 10:30:45.123 | 133.398 | 175 | Executed (SELL) |
| ORD-017 | 11:00:22.334 | — | 11:00:23.001 | 133.385 | 160 | Executed (SELL) |
| ORD-018 | 11:30:09.556 | — | 11:30:10.002 | 133.377 | 155 | Executed (SELL) |
Additional context: - The market mid-price at 09:00:12 was 133.505. At 09:00:16, it was 133.498. - The market mid-price at 09:15:33 was 133.485. At 09:15:37, it was 133.478. - The market mid-price at 09:31:05 was 133.445. At 09:31:08, it was 133.430. - Orders ORD-005, ORD-009, and ORD-014 are genuine buy executions (note: "Executed (BUY)" means the trader bought at these prices despite the order being listed on the ask side — treat these as separately flagged genuine purchases). - Orders ORD-015 through ORD-018 are genuine sell executions.
Tasks:
2a. Calculate the order-to-trade ratio (OTR) for: - The period 09:00:12 to 09:31:09 (the first three clusters plus genuine buys) - The overall session (all 18 orders)
Define "executed" as orders with an "Executed" outcome for OTR purposes.
2b. Calculate the time-to-cancellation for each cancelled order (in milliseconds). What is the average time-to-cancellation across all cancelled orders? How does this compare to what you would expect from a market-maker repricing due to genuine market conditions?
2c. For each of the three ask-side order clusters (09:00, 09:15, 09:31), calculate: - Total fictitious volume (sum of quantities of cancelled orders) - Price movement from mid-price at cluster placement to mid-price at cluster cancellation, in basis points - The direction of price movement — does it match what the fictitious ask-side pressure would produce?
2d. Based on your calculations in 2a–2c, does the data support a finding that T-1447 is engaged in spoofing or layering? What additional evidence would you want to review before escalating to Level 2 investigation?
2e. Assuming you escalate to Level 2, identify three specific communications searches you would conduct and explain the rationale for each.
Exercise 3: Design a Layering Detection Rule
Estimated time: 45–60 minutes Format: Written design document (structured)
You are a senior surveillance analyst at a medium-sized asset management firm. Your firm trades equity futures on CME and Eurex, and government bond futures on ICE and Eurex. Your current surveillance system has a basic OTR rule but no layering-specific detection.
Design a layering detection rule for your firm's surveillance system. Your design document should address the following sections:
3a. Scope Definition - Which instruments will the rule apply to? Justify your selection. - Which trader populations will be in scope? Should market-makers be excluded or subject to different thresholds?
3b. Phase 1 Parameters: Placement Cluster Detection - How many distinct price levels should constitute a minimum cluster? Justify your threshold. - What time window should the cluster have to complete (i.e., all orders placed within N minutes)? How did you arrive at this window? - Should you impose a minimum total quantity threshold for the cluster? Why or why not? - How will you handle orders that are modified (repriced) during the window — do they count as separate price levels or the same order?
3c. Phase 2 Parameters: Price Impact Measurement - How will you measure the relevant mid-price at the time of cluster placement and at the time of cancellation? - What minimum price movement (in basis points) should be required to confirm Phase 2? Justify this threshold relative to the typical bid-ask spread and normal price volatility for your chosen instruments. - What time window will you use for Phase 2 — i.e., how long after cluster placement do you observe the market for the required price movement?
3d. Phase 3 Parameters: Cancellation Measurement - What fraction of the clustered orders must be cancelled (rather than executed) to trigger the rule? - Should you apply a time constraint to Phase 3? If so, what window?
3e. Composite Scoring and Alert Severity - How will you weight the components (Phase 1 severity, Phase 2 impact, Phase 3 cancellation rate) into a composite alert score? - What score thresholds will correspond to LOW, MEDIUM, HIGH, and CRITICAL severity?
3f. False Positive Mitigations - List at least three specific adjustments to the rule design that reduce false positives. For each, explain the type of legitimate behavior it protects against.
3g. Governance and Calibration - How frequently should this rule's thresholds be reviewed? - What backtesting methodology would you use to validate the rule before deployment? - What does an acceptable alert rate look like (alerts per week, expected conversion to STOR)?
Exercise 4: Coding Exercise — Extending LayeringDetector for Cross-Instrument Signals
Estimated time: 60–90 minutes Format: Python code
The LayeringDetector implemented in Chapter 22 analyzes layering within a single instrument. In practice, layering in one instrument is sometimes coordinated with genuine trading in a correlated instrument — for example, layering in Euribor futures to move the price, then taking a position in a related interest rate swap or in Bund futures that benefits from the artificial price move.
Your task is to extend the LayeringDetector class to add cross-instrument awareness.
4a. Add a method analyze_cross_instrument_benefit that:
- Accepts a list of OrderEvent objects for a second instrument (the "benefit instrument")
- Accepts a time window in seconds
- After a layering alert is generated for the primary instrument, checks whether the trader executed genuine orders in the benefit instrument within the time window during or after Phase 2 of the layering scheme
- Returns an enriched alert that notes the cross-instrument trading, the direction of that trading, and the approximate timing relative to the layering episode
- Adds a cross_instrument_correlation field to the alert's details dictionary
4b. Add a method compute_cross_instrument_score_adjustment that:
- Takes the base layering score from the primary instrument alert
- Applies a score multiplier (e.g., +0.20) if cross-instrument genuine trading is detected in the benefit instrument in the correct direction
- Returns the adjusted score and a flag indicating whether cross-instrument activity was found
4c. Write a CrossAssetSurveillanceRunner class that:
- Accepts a list of instrument pairs [(primary_instrument_id, benefit_instrument_id)] to monitor together
- Instantiates a LayeringDetector for each primary instrument
- Runs both analyze_order_book_sequence and analyze_cross_instrument_benefit for each pair
- Aggregates and deduplicates alerts across all pairs
- Returns a sorted list of alerts by score (descending)
4d. Write a brief comment block at the top of your code explaining: - What manipulation strategy this extension is designed to detect - What regulatory framework covers this type of cross-asset manipulation (with specific article/rule references) - One limitation of your implementation and how a more sophisticated version would address it
Sample data structures to use:
# Primary instrument layering event (Euribor futures)
primary_events = [
OrderEvent('place', 'ORD-001', price=99.620, quantity=300,
side='ask', timestamp=dt(2025, 3, 15, 9, 0, 12),
trader_id='TRD-099', instrument_id='ERH25'),
# ... additional events
]
# Benefit instrument genuine trading (Bund futures - trader benefits from
# Euribor layering because Bund/Euribor spread trade profits if Euribor falls)
benefit_events = [
OrderEvent('execute', 'ORD-101', price=133.520, quantity=100,
side='bid', timestamp=dt(2025, 3, 15, 9, 0, 45),
trader_id='TRD-099', instrument_id='FGBH25'),
# ... additional events
]
Note: You do not need to implement a fully working codebase — focus on the class and method structure, the logic within each method, and the docstrings. Type annotations and clear comments are required. The implementation should be coherent enough to execute correctly if connected to real data.
Exercise 5: Research Exercise — CFTC Spoofing Enforcement
Estimated time: 45–60 minutes Format: Structured research write-up (400–600 words total)
The CFTC has been the most active enforcement authority for spoofing in financial markets globally. Access the CFTC's public enforcement actions database at https://www.cftc.gov/LawRegulation/EnforcementActions/index.htm and select three spoofing or layering enforcement actions from 2019 or later.
For each case, document:
5a. Case Identification - Name of the case and date of the enforcement action - Respondent(s) — individual, firm, or both - Market/instrument involved - Penalties imposed (fine, disgorgement, trading ban, etc.)
5b. Behavioral Pattern - What specific behavior was alleged? Describe the mechanism of the manipulation. - How was the behavior detected? (If disclosed — many CFTC orders describe whether detection was by exchange, broker, or internal surveillance) - How long did the conduct allegedly continue?
5c. Evidence and Intent - What type of evidence did the CFTC cite to establish intent? - Was there communications evidence (chats, voice recordings)? If so, describe what was found. - Was there technology evidence (algorithm configurations, order parameters)?
5d. Comparative Analysis After reviewing all three cases, write a 200-word synthesis addressing: - What common elements appear across all three cases? - Did the nature of the evidence (behavioral data vs. communications vs. technology) vary across cases? What does this suggest about how the CFTC builds cases? - What trend, if any, do you observe in penalty levels across the three cases you selected? - Based on your review, which aspect of the Chapter 22 detection framework (OTR, cancellation ratio, price impact correlation, communications review, technology review) would have been most likely to detect each case at an early stage?
5e. Reflection In no more than 100 words, describe one aspect of the CFTC's enforcement approach that surprised you, and one aspect of the spoofing problem — based on the case details you reviewed — that you think is not adequately addressed by current regulatory frameworks.
Submit your written answers in a single document. Code for Exercise 4 may be submitted as a separate .py file.